Designing the Delegation of Authority
Rather than granting all administrators the rights and permissions of Active Directory service administrators by making them members of the Domain Admins or other Active Directory service administrator security groups, as was commonly done in Windows NT domains, Active Directory enables you to place accounts and resources into OUs and delegate an appropriate level of authority over those objects to administrative staff. By doing this, you can create data management administrators who have autonomous or semiautonomous authority over Active Directory objects, domain member computers, and data. The simplest way to do this in Active Directory is to create OUs based on management requirements and to delegate ...
Get Microsoft® Windows® Security Resource Kit, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
